Make 'allowed_users' in conf.json accept user groups

[bugy]

At the moment, allowed_users setting in the conf.json file accept only usernames. It should be improved and allow to specify groups (e.g. when groups are loaded from LDAP and not known in advance), as in other places, with @ prefix

[bugy]

Hi @tristanlatr, this one is fixed, could you try it please?

[muzzol]

just a quick reply to note that docs don't reflect this change (i was searching for it)

[bugy]

Hi @muzzol, this feature is only in dev version at the moment. Will add it to the documentation once released.

[muzzol]

ok, I'll test dev version in the meantime

[tristanlatr]

Hi,

It doesn't work for me...

Here are the commands I did on my dev environment to test this feature :

service script-server stop
git checkout tags/dev
tools/init.py --dev --no-npm
service script-server start

Conf file :

{
  "address": "127.0.0.1",
  "port":5443,
  "title": "Script Server",
  "ssl": {
	"key_path": "***",
	"cert_path": "***"
  },
  "auth":{
	"type":"ldap",
	"url":"***",
	"base_dn": "DC=my-domain,DC=ca",
	"username_pattern": "MYDOMAIN\\$username",
	"version": 3
  },
  "access":{
  
    "allowed_users":["@regular_users"],
    "trusted_ips":["127.0.0.1"],
    "admin_users":["admin"],
    
    "groups":{
        "LDAP-GROUP-1":[],
      	"LDAP-GROUP-2":[], // it doesn't work if I don't declare the groups first, get KeyError
        
        "team_users":["@LDAP-GROUP-1"],
      	"regular_users":["@LDAP-GROUP-2","@team_users"]
    }
 },
  "logging": {
    "execution_file": "$DATE-$SCRIPT-$AUDIT_NAME-#$ID.log",
    "execution_date_format": "%Y-%m-%dT%H:%M:%S%z"
  }
}

Logs :

2019-05-03 10:08:08,236 [script_server.tornado_auth.INFO] Trying to authenticate user
2019-05-03 10:08:08,236 [script_server.LdapAuthorizer.INFO] Logging in user tristanlatr
2019-05-03 10:08:08,571 [script_server.LdapAuthorizer.INFO] Loaded groups for tristanlatr: ['LDAP-GROUP-1', 'other groups...']
2019-05-03 10:08:08,575 [script_server.tornado_auth.INFO] Authenticated user tristanlatr
2019-05-03 10:08:08,576 [tornado.access.INFO] 200 POST /login (127.0.0.1) 341.12ms
2019-05-03 10:08:08,596 [web_server.WARNING] User tristanlatr is not allowed
2019-05-03 10:08:08,596 [tornado.general.WARNING] 403 GET /index.html (127.0.0.1): Access denied. Please contact system administrator

[bugy]

Hi @tristanlatr, could you try to put @LDAP-GROUP-1 and LDAP-GROUP-2 directly to allowed users? I believe at the moment you cannot include LDAP groups into user-defined groups (let's call it a bug)

[tristanlatr]

Hi,

Thanks for the feature.

I'm confirming you that it works when adding the LDAP groups directly into the allowed users field.
But it looks like we cannot merge local groups with LDAP groups. So the authorization per scripts need to specify LDAP groups not script-server groups.

[bugy]

Moved to a separate ticket: #212